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1. Introduction 


The Oil and Gas industry has hazards and risks that are inherent to its workers, environment, public, 
assets, activities, operational locations, and products. Using a standardised approach to risk 
management, that is applied consistently across all types of operation, has the advantage of 
accounting for different sources and types of risk (including, but not limited to, consideration of the 
potential consequences of environmental impacts, security threats, community grievances and 
capability scarcity, as well as personal and process safety incidents). 
The EGPC and Egyptian Oil and Gas Holding Companies’ HSE Policy mandates that its COMPANIES 
are committed to “Pursuing no harm to people and the community” and “Protecting the 
environment” and makes commitments to managing risks through effective controls and minimizing 
impacts on business and sets an overall context and leadership commitment in managing HSE risks. 
This means that all activities must be conducted in a manner designed to minimise HSE risks, protect 
the health and safety of employees, contractors, customers, the community at large and the 
environment. 
COMPANIES, through the active participation of all employees and contractors, shall strive to 
manage HSE risks to prevent incidents, injuries and occupational illnesses, progressively minimising 
environmental impact by reducing discharges, using energy efficiently and producing safe, quality 
products. ENTITIES shall enforce their COMPANIES to manage all risks to As Low as Reasonably 
Practicable (ALARP). 

2. Purpose 
The purpose of this standard is to establish a structured Risk Management process and consistent 
method of ranking the severity and probability of potential hazards to ensure that risks are identified, 
analysed, evaluated and treated consistently and assigned to a respective management tier for 
implementation, follow-up and closure. It seeks to help prioritize resource allocation and defines 
endorsement levels to manage levels of risk. To achieve this objective, this standard aims to provide 
a framework for: 


* Using a consistent language that is understood across the subsidiaries and operating companies 
managed by the ENTITIES. 

* Defining a unified Risk Assessment and Management System Framework for the ENTITIES 
including a unified Corporate Risk Matrix for all HSE and Business risk assessments. 

e Specifying methods and tools for effectively identifying hazards, risk analysis and evaluation using 
the Risk Tolerability criteria defined in this standard related to ENTITIES' activities. 

* Setting consistent risk tolerability criteria for qualitative, semi-quantitative and quantitative risk 
assessments in line with ENTITIES' Corporate Risk Matrix. 

è Aiding robust and informed decisions making for management of HSE risk consistently across 
ENTITIES and their COMPANIES. 

* Notifying risks and endorsing risk management measures, including additional actions if 
applicable, consistently at the appropriate levels of the organization. 

* Monitoring the effectiveness of any risk management measures. 

Unless otherwise stated, all of the requirements set out in this Standard are Mandatory and it is the 

responsibility of senior management of each subsidiary, business unit and/or affiliated operations to 

ensure that these are implemented throughout the facilities that fall under their sphere of influence 

and, that contractors and subcontractors working on their facilities are fully aware and compliant 

with these requirements. 
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3. Scope 


This document stipulates the mandatory requirements applicable to the Egyptian General Petroleum 
Corporation (EGPC) and Oil and Gas Holding Companies, including the Egyptian Natural Gas Holding 
Company (EGAS), the Egyptian Petrochemical Holding Company (ECHEM) and the South Valley 
Petroleum Holding Company (GANOPE) covering all of their operational subsidiaries, state-owned 
companies, affiliates and joint ventures. 

ENTITIES and their COMPANIES and contractors shall ensure that all requirements listed herein are 
fully understood, implemented, complied with and monitored at all times including current 
operations, existing and future projects during the whole projects’ lifecycle from feasibility till 
decommissioning. 

4. Definitions & Abbreviations 


ENTITIES: hereinafter are used to indicate EGPC and Holding Companies i.e., EGAS, ECHEM and 
GANOPE that are required to enforce implementation of this standard across their COMPANIES. 
COMPANIES: hereinafter are used to indicate operating company, subsidiary, affiliated, Joint Venture 
companies that are required to comply with ENTITIES’ standards. 


For other definitions and abbreviations, refer to PSM Glossary document EGPC-PSM-GL-011. 
5. Laws and Regulations 


Currently, there are no Egyptian laws or regulations that specify in detail the risk management 

requirements. However, some articles in Labour law and the Environmental law are relevant in that 

the consequences of a hazard may result in either adverse environmental impacts or effects on 
people including but not limited to the following: 

* Labour Law 12 of 2003 (Book Five), Articles 208, 209, 210, 211, 212, 213, 214, 215, 217, 219. 

* Minister of Manpower Decree no. 211 of 2003. 

* Law no. 59 of 1960 regulating the work with ionizing radiations and preventing its hazards. 

* Minister of Health Decree no. 265 of 1989 regarding prevention measures in the field of industrial 
radiographic photography. 

* Law no. 7 of 2010 regulating nuclear and radiological activities. 

* Prime Minister Decree no. 1326 of 2011 to issue the executive regulations of Law no. 7 of 2010. 

* Law 93 of 1962 regarding the disposal of liquid waste, and the Decree of the Minister of Urban 
Communities no. 44 of 2000 regarding the disposal of liquid waste. 

* Law 48 of 1982 regulating the protection of the Nile and waterways from pollution. 

e Lawno.550f 1977 regarding the establishment and management of thermal machines and steam 
boilers, and Decree no. 154 of 2007 Resolution to amend some provisions of the executive 
regulations of Law 55 of 1977. 

e Law no. 4 for 1994 and its amendments by law no. 9 for 2009 and law no. 105 for 2015 and their 
executive decrees. 

ENTITIES must ensure that their COMPANIES comply with all relevant Egyptian laws and regulations 

at all times, including any laws that may be introduced after the publication of this standard. 

6. Roles, Responsibilities, and Governance Structure 

To ensure risks within ENTITIES are consistently managed by the approach outlined in this standard, 

and COMPANIES shall create and sustain an organization that supports and is conducive to the 


management of risk. The governance structure is as shown in Annex H - Risk Management Review 
Committees while roles and responsibilities are outlined in Annex G - Roles and Responsibilities. 
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7. Requirements 

Risk management can only be achieved through the management of known and potential hazards 
and risks. This requires the definition of a Risk Assessment and Management System. Within the IOGP 
Operating Management System (OMS) Framework shown in Figure 1 and its OMS Implementation 
Guideline adopted by EGPC, risk management is an integral part of many of the organization’s macro 
processes and, at the same time, it is central to decision-making within the OMS, explicitly addressing 
uncertainty to protect the company and its stakeholders. 


The 
Fundamentals 


Figure 1: OMS, Element 5 — Risk assessment and control (IOGP, 2014) 


7.1. Risk Management Process 
Risk Management is an integral part of the organization management system, decision-making 
process, and is integrated into the structure, operations, and processes of the ENTITIES and their 
COMPANIES. 
ISO 31000; Risk Management Standard, provides the framework and process of managing risks. While 
ISO 31010; Risk Assessment Techniques, provides a list of tools that can be applied regardless of the 
size and scale of the companies. The applicability of risk assessment techniques to the ISO 31000 
process is well described in the ISO 31010. 
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om RISK MANAGEMENT STANDARD 
EGPC Tutus повним 


Figure 2 provides the framework and process of managing risk іп COMPANIES during its lifecycle and 
includes a customized list of Risk Management techniques that can be used to ensure proper and 
sound risk management. 


* Brainstorming * Brainstorming 
* Delphi Technique *  DelphiTechnique 
* NominalGroupTechniqe ~ * Nominal Group Technique 
* Interviews Scope, Context, © interviews 
e Surveys Criteria e Surveys 
y lause 7.3 © Checklists 
= © FMEA/ FMECA 
* Brainstorming HAZOP 
рат Risk Assessment PE. клена 
* Nomina! Group Technique * SWIFT 
* interviews *  Cindynic approach 
3 tee IRP Risk *  ishikawa method 
Ы коді * Root Cause Analysis 
«о Frequency-number (F-n) Identification - 
diagram H Clause 7.4, = \ 
o Pareto Charts 3 y 5 Checklists 
o Reliability Centered S 622 FMEA / FMECA 
Maintenance 53 Risk Analysis 5 $ 9 HAZOP 
© Risk indices Е Clause 7.5 wt a Scenario Analysis 
* Cost/Benefit Analysis E e p SWIFT 
© Decision Tree Analysis 8 = Cindynic approach 
o Game Theory tshikawa method 
© = Multi-criteria Analysis Risk Evaluation Root Cause Analysis 
\ Clause 7.6 PO UNDE 
HACCP 
* Bow Tie Analysis LOPA 
. gend Bayesian Analysis 
. Bayesian Network 
* — ALARP/SFAIRP. Business Impact Analysis 
*  Frequency-number (F-n) Risk Treatment Event Tree Analysis 
diagram Clause 7.7 Fault Tree Analysis 
Pareto Charts Cause-Consequence Analysis 
Reliability Centered Markov Analysis 
Maintenance Monte Carlo Simulation 
Risk indices Recording & Causal Mapping 
\ Reporting Cross Impact Analysis 
us Toxicological Risk 
Risk Register Som Assessment 
Consequence-Likelihood Data Protection Impact 
Matrix Analysis 
$ Curve Value at Risk (VaR) 
Bow Tie 


Conditional Value at Risk 


Figure 2: Application of techniques in the ISO 31000 risk management process (ISO 31010, 2019) 


Note: these techniques are indicatives and should be used based on the nature of the facility, operation, 
and project phase; align with process safety studies in Major Projects Guidelines EGPC-PSM-GL-002 
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7.2. Risk Management Process Requirements 


* Chairman and Managing Director(s) of each COMPANY belonging to any of the ENTITIES shall be 
accountable for conformance to the requirements of this Standard. 

e Each COMPANY that belongs to any of the ENTITIES shall: 

o identify the risks relevant to its accountabilities across the types of risks (e.g., Process Safety, 
Occupational Health & Safety, Environmental and Compliance); 

o identify, assess, respond to and monitor risks in accordance with this Standard; 

o assess the level of risks based on a Worst Credible accidental scenarios for each of the 
applicable severity and likelihood criteria defined in Annex A - Corporate Risk Assessment 
Matrix; 

The extent (breadth and depth) of risk assessment is proportionate with the impact level and 
type of risk and the nature of the impacts. The extent of risk assessment may range from a 
professional judgment to a formal quantified risk assessment. 

o produce their internal Risk Assessment Matrix based on severity and likelihood criteria 
defined in Annex A - Corporate Risk Assessment Matrix with only allowable changes to 
financial impact criteria reflecting their asset value and annual production or profit plans 
according to the percentage identified in Table 4 for financial impact; 

о follow risk management measures according to Annex E - Risk Control Measures; 

o document the risks they are accountable for and how they are managed; 

o establish and maintain a Risk Register and Risk Action Plan for each Level 1 (Red), Level 2 
(Amber), and Level 3 (Yellow) risks as per Annex D - Risk Register and Action Plan Template; 
and, 
notify and endorse risks Risk Register and Action Plan — at a minimum - to the levels defined 
in Annex | - Signoff requirements for various residual risk levels, based on the highest residual 
risk rating determined by the colours on the risk matrix. 

Significant changes to risks and their management shall be notified and endorsed respectively 

at the levels defined in levels consistent with the colours on the Corporate Risk Matrix. 

* Where improvements are needed to the management of risks, additional actions with owners, 
timelines for completion and resources required shall be developed and implemented. 
Additional actions can be developed and prioritised based on the risk assessment, strength of 
existing risk management measures, strategy and plans, legal and regulatory requirements and 
any other factors that could affect timing. 

To help decide whether improvements are needed, consider whether the risk is sufficiently 
managed by existing risk management measures. This could include reference to applicable 

ENTITIES' requirements, laws, regulations and proven practices in the industry. 

* Risks and the effectiveness of risk management measures shall be 
o specific, Measurable, Achievable, Time framed (SMART) 

o bereferred to best available data or expert judgement, and 

o monitored to an appropriate extent, reviewed and updated frequently as identified in Annex 
Н - Risk Management Review Committees. 

The extent and how often risk monitoring is conducted is proportionate with the level and 
type of risk and the nature of the impacts. 

* Annex F - Risk Assessment Fundamentals guides the key steps and expectations of a risk 
assessment process that might be applied. 


o 
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7.3. Establish Context 


Before starting any operation or project, it is important to establish the context and assess the risks. 
There should be a clear understanding of the technical objectives, scale of operations, geographic 
location and timeframe. Taking this into consideration, as well as any relevant stakeholder input, all 
potential consequences should be assessed. The likelihood of occurrence of a hazard and the 
potential severity of a consequence is used to assess the level of risk. A realistic view can then be 
taken of the worst-case, credible outcome of a scenario, taking into account the extent to which 
severe consequences can be foreseen, particularly those with a low likelihood of occurrence. 

The general approach to risk management starts by considering both external and internal contexts. 
External context may include social, cultural, economic, regulatory and environmental aspects at 
local, regional, national or international levels; and how these affect the company’s objectives and its 
relationships with stakeholders. Internal context may include how the company is organised and 
governed, its policies and objectives, capabilities and resources, information and decision-making 
systems, contractual and partnering relationship, and its culture. 


7.4. Hazard Identification and Screening 


For hazards associated with the activities throughout the life cycle of COMPANIES belonging with any 
of the ENTITIES, all threats and causes that could lead to potentially hazardous events resulting in 
undesirable consequences shall be systematically identified. 

Hazard Identification is the first step in the risk assessment process. This can be done using structured 
techniques, such as HAZID, HAZOP, HITRA, etc. 

In projects, the Guideline for Process Safety Studies for Oil, Gas and Petrochemical Projects EGPC- 
PSM-GL-002 shall be adopted, whereas emerging risks during the operations phase are assessed 
according to its risk level as shown in the Risk Assessment Framework process as shown in Annex В - 
Risk Assessment Framework. 


7.5. Risk Analysis 


The process of carrying out a risk assessment will result in an understanding of the level and 
significance of risks that leads to “Informed Decisions” related to the implementation of appropriate 
risk control and risk reduction measures, 


Risk analysis is an analytical informative process to understand risk level that includes a detailed 
examination of the identified hazards, addressing the potential consequences and determining the 
severity level of addressed consequences, the likelihood of consequences occurrence and the risk 
level. 


The unified Corporate Risk Matrix shall be used for carrying out qualitative and semi-quantitative risk 
assessments. The Corporate Risk Matrix is separated into four regions that identify the limit of risk 
tolerability: 

1. Level 1 -High Risk (Red / Intolerable Risk Region): The risk level is not acceptable and risk control 
measures are required to move the risk figure to be tolerable and in the ALARP region. 

2. Level 2 - Risk reduction measure (Amber / Medium-High-Risk Region): The risk level shall be 
mandatorily reduced applying suitable and sufficient corrective measures, provided that the 
implementation of such measures is ALARP. 

3. Level 3 - Risk reduction measure (Yellow / Medium-Risk Region): The risk level requires control 
measures, provided that the implementation of such measures is ALARP. 

4. Continuous improvement (Green / Low-Risk Region): The risk level requires continuous 
monitoring to prevent deterioration or deviation from performance standards. 
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Risk analysis may be undertaken using qualitative, semi-quantitative or quantitative methods. Each 
of these methods is discussed briefly below. 


7.5.1. Qualitative Risk Assessment 

In the Qualitative Risk Assessment process, the risks are analysed based on expert judgment to 
judge the likelihood and impact of the hazardous events. The estimated severity and likelihood are 
plotted on the Risk Matrix to assign a level and category of the risk. Several techniques can be used 
in qualitative risk assessment, such as JSA, HAZID, HAZOP, etc. 

The Corporate Risk Matrix includes the definitions of consequence severity and likelihood levels. 
If the estimated consequence severity varies for different categories, e.g., people, assets, etc. then 
the highest severity shall be selected for determining the overall risk level. 

If the assessed risk level using qualitative methods (initial screening) is ‘Red’ or ‘Amber’, then Semi- 
Quantitative or Quantitative Risk Assessments shall be used to validate before deciding on risk 
treatment options. For the project phases, this is achieved by carrying out quantified studies for 
the identified Major Accident Hazards. Annex C - Qualitative Risk Assessment Workflow provides 
a more detailed overview. 


7.5.2. Semi-Quantitative Risk Assessment 

The basis for the risk estimate is usually qualitative, although increasingly there is some 
quantitative basis (for either the consequences or the likelihood or both). 

Semi-quantitative risk assessments are structured risk assessment techniques, which can use 
simple consequence modelling techniques where applicable to derive estimates of the severity 
level of the hazard scenario and event trees and fault tree analysis to quantify the likelihood of 
hazards resulting in hazards events. 

Estimating of failure frequencies and reliability data of specific equipment/systems are used to 
estimate the likelihood of unwanted events. These estimates can be combined with severity to 
obtain estimates of the order of magnitude of the risk. 

Methods such as Layer of Protection Analysis (LOPA) shall be used for carrying out semi- 
quantitative risk assessments. This method may use techniques such as Fault Tree Analysis (FTA), 
Event Tree Analysis (ETA), ...etc., to quantify the frequencies. 


7.5.3. Quantitative Risk Assessment 

Quantified Risk Assessments involve a numerical estimate of the risk from a quantitative 
consideration of hazardous events probabilities (at which a release of the hazard may be expected 
to occur) and the size of consequences associated with a hazard. These aspects are then combined 
to obtain numerical values for risk, which is compared against the Holding Companies’ Risk 
Tolerability Criteria to assure that overall risk levels are managed to As Low As Reasonably 
Practicable (ALARP). 

Some risk assessment techniques may be used to estimate quantitatively different event 
rates/frequencies or probabilities (e.g., ETA), and for the quantitative determination of the size of 
the consequences usually consequence modelling software are used. 

Detailed quantified assessment is usually carried out in various studies, such as QRA & FERA, each 
study has an objective and should cover a certain scope and purpose. 

In carrying out quantitative risk assessments, specific quantitative tools and techniques are used 
for estimating the severity of the consequences and the likelihood of the hazardous scenario 
occurring for various identified scenarios within the study boundary. For details of the QRA 
process, refer to Quantitative Risk Assessment (QRA) Guideline EGPC-PSM-GL-008. 
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7.6. Risk Evaluation 


Risk evaluation refers to the process used to assist in making decisions based on the outcome risk 
analysis, by comparing the risk estimates with the risk tolerability criteria. 
Risk evaluation is used to identify any residual risk (or increased risk level) and provides inputs to 
decisions making process on whether risks need to be treated and on the most appropriate risk 
treatment strategies and methods. Subsequently, the purpose of risk evaluation is to assist in making 
decisions (based on the outcomes of risk analysis) about which risks need treatment and which 
priority must be assigned for their treatment. 
Risks are prioritized for risk response. Unacceptable risks are ranked and prioritized with other risks. 
А common approach to prioritizing risks is to divide them into three bands (according to the unified 
Corporate Risk Matrix): 
e Апиррег band, where the level of risk (Level 1 - Red) is regarded as intolerable whatever benefit 
the activity may bring, and risk treatment is essential whatever its costs; 
* Amiddle band (Level 2 - Amber and Level 3 - Yellow), where costs and benefits are considered 
and opportunities balanced against potential consequences; and 
* Alower band (Green), where the level of risk is regarded as negligible, or so small that no risk 
treatment measures are needed. 
7.6.1. A framework for risk criteria 
The most common framework used for risk criteria divides risks into the three bands shown in 
Figure 3: 
* An unacceptable region, where risks are intolerable, and risk reduction measures are 
mandatory. 
* Amiddle band, or tolerable if ALARP region, where risk reduction measures are desirable, but 
may not be implemented if their cost is disproportionate to the benefit achieved. 
* Abroadly acceptable region, where no further risk reduction measures are normally needed. 


Risk cannot be justified 
except in extraordinary 
circumstances 


Unacceptable 
region 


Tolerable only if risk 
reduction is impracticable 
or if its cost is grossly 
disproportionate to the 
improvement gained 


Tolerable if 
ALARP region 
Risks is taken 
only if a benefit is 
required 


Tolerable if cost of 
reduction would exceed 
the improvement 


Necessary to maintain 
assurance that risk 
remains at this level 


Broadly 
acceptable 
region 


Figure 3: Framework for tolerability of risk (Ref. ALARP carrot diagram example given by UK HSE COMAH) 
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7.6.2. Criteria for Qualitative and Semi-Quantitative Risk Assessment 

Risk criteria for qualitative and semi-quantitative risk assessment are defined in the risk matrix 

used for the assessment. A risk matrix facilitates the quick assignment of risk levels for each risk 

level (Red, Amber, Yellow and Green) demonstrated in the unified Corporate Risk Matrix. 

As part of the Qualitative and Semi-Quantitative Risk assessment, once risks are identified: 

* they are mapped on the risk matrix in four risk categories (Health & Safety, Environment, 
Financial and Non-Financial criteria), and 

* short-term and long-term risk reduction measures are identified and against each of the 
recommendations, residual risk is determined and mapped on the risk matrix. 

One of the key features of the risk matrix is accountability of the risk. Once the risk is mapped on 

the risk matrix, based on the risk level/category accountability is assigned across the management 

hierarchy for the risk reduction, action implementation, follow-up and closeout. 


7.6.3. Quantitative Risk Assessment Tolerance Criteria 

Quantitative risk criteria are standards used to translate numerical risk estimates, as produced by 
а Quantitative Risk Assessment (QRA), into value judgements such as ‘negligible risk’ (e.g. the risk 
value is lower than 10° which means lower than 1 fatality every 1 million years), that can then be 
set against other value judgements such as ‘high economic benefit’ in the decision-making process. 
To define the three bands of risk (acceptable, Tolerable if ALARP, and unacceptable), two levels of 
risk criteria are required: 

* A maximum tolerable criterion above which the risk is intolerable, 

* A broadly acceptable criterion below which the risk is insignificant, and 

e Between these two criteria, the ALARP region is laid 


Risks to people may be expressed in two main forms: 


* Individual Risk - the risk experienced by a person. 

* Societal (or Group) Risk - the risk experienced by the whole group of people exposed to the 
hazard. Where the people exposed are members of the public, the term Societal Risk is often 
used. Where workers are isolated and members of the public are unlikely to be affected, the 
term group risk is often used. In this document, the term Societal Risk is used to encompass 
both public and worker risk. 
7.6.3.1. Individual Risk Criteria (IRPA) 

Individual Risk criteria are intended to show the frequency at which an individual (worker or public) 

may be expected to sustain a given level of harm from the realization of specified hazards. It is 

usually taken to be the risk of death and usually expressed as a risk per year. 

Individual Risk is calculated by identifying all sources of fatality risk to a given individual, deriving 

the contribution from each source and then summing these to give the overall risk. For typical oil, 

gas and petrochemical workers the primary sources of risk as a minimum: 

* Transport, e.g., road traffic accidents, air/sea transport accidents. 

e Hydrocarbon related, e.g., loss of containment leading to toxic releases, fires or explosions. 

Note: COMPANIES have the choice to consider the Occupational Safety Risks in their Quantitative 

Risk Assessment, e.g., slips, trips and falls, drowning, dropped objects, lifting, working at heights, 

etc. within the overall risk calculations (which might increase the overall risk value). 

Individual Risk criteria are most expressed in the form of Individual Risk Per Annum (IRPA). The 

IRPA is a representative worker of a given worker group considering expected occupancy at all the 

locations he is expected to be present within the hazardous location throughout the year. This 

includes plants, accommodations, recreational activities, etc. The calculation excludes the 
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duration for which personnel is not present at the site due to reasons such as annual leave, 
personnel is considered not exposed to facility operations or occupational risk during this duration. 
This criterion is applicable for all COMPANIES belonging to ENTITIES. It is mandatory to 
demonstrate that risk levels are within the criteria given in Figure 4. 


UNACCE RTA BLE 10°per year (worker) 


Risk 


10“per year (public) 


ncreasing 


--------Э АШУ ------------- 10°per year (both) 


Figure 4: ALARP Demonstration (Ref. UK-HSE - onshore process Individual Risk criteria) 


Workers Member of public 


Maximum tolerable criterion 10? per year 10“ per year 
Y 


Table 1: Tolerability Criteria 


Note (1) Individual Risk Criteria are intended to demonstrate that individual people are not exposed 
to excessive risk, assuming all individuals are equally exposed and protected. 

Note (2) Individual Risk to workers means Individual Risk to onsite personnel and outside nearby 
same business' industrial facilities only (i.e. petrochemical, oil and gas facilities), and Individual Risk 
to public means Individual Risk to offsite personnel. 


At the top of the triangle is the unacceptable level, on or above which the risk is so great or the 
outcome so unacceptable that it must be reduced immediately. 

At the other extreme is the broadly acceptable region, where the risk is so low that there is no 
further requirement to undertake additional risk reduction measures, i.e., the risk is, or has been 
made, so small that no further precaution is warranted. 

In between these two extremes, lies a wide range of tolerable risk levels to which the ALARP 
principle applies, і.е., the risk must be reduced to the lowest level practicable, bearing in mind the 
benefits flowing from its acceptance and taking account of the costs of any further reduction. Thus, 
for the risks, which fall within the Tolerable region, some weighing of costs and benefits i.e., Cost- 
Benefit Analysis is necessary to determine compliance with the ALARP principle. 
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7.6.3.2. Societal (Group) Risk Criteria: 
Societal Risk evaluation is concerned with the estimation of the chances of more than one 
individual being harmed simultaneously by an incident. The likelihood of the primary event (an 
accident at a major hazard plant) is still a factor, but the consequences are assessed in terms 
of the level of harm and the numbers affected (severity), to provide an idea of the scale of an 
accident in terms of numbers killed or harmed. 

Societal Risk is dependent on the risks from the substances and processes located on a major 
hazard installation. A key factor in estimating Societal Risk is the population inside and around 
the site; in particular, its location and density. 

The Criteria may be defined to limit the risk of major accidents and help target Societal Risk 
reduction measures (such as restrictions on concurrent activities or land use, enhanced 
engineered safeguards, and improved building siting or protection). 

The concept of the Societal Risk against the Individual Risk is illustrated in the following 


Figure 5. Where situations / and // have equal Individual Risk levels, while situation // has a 
larger Societal Risk (SR) because in situation // more people are exposed than in situation /. 
Therefore, if the Individual Risk levels are acceptable in both situations, the Societal Risk may 
not be acceptable for situation //. 


IR,- IR, 
УК «УК, 


Figure 5: The concept of Societal Risk (Ref. Risktec Essentials- An introduction to the quantitative assessment of 
risks associated with high hazard facilities). 


7.6.3.2.а.  FN-diagram 

The FN curve is the curve of cumulative frequency versus numbers of fatalities on a 
logarithmic scale. FN curves are frequency-fatality plots, showing the cumulative 
frequencies (F) of events involving N or more fatalities. They are derived by sorting the 
frequency-fatality (FN) pairs from each outcome of each accidental event and summing 
them to form cumulative frequency-fatality (FN) coordinates for the plot. 

А common form of presenting risk tolerability Criteria for Societal Risk on an FN diagram is 
to have two criteria lines to distinguish three regions; an area where risk is intolerable, an 
area where it is broadly acceptable and a region where it requires further assessment and 
risk reduction as far as is reasonably practicable. ENTITIES’ Criteria for Societal Risk is 
shown in Figure 6. 
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Example Fh-curve 
_ exceeds criteria here 1 


Intolerable 


106-06 Nu Гы 
Further assessment 


Broadly 


Frequency of Events with М or More Fatalities (per year) 


acceptable & risk reduction 
10607 | 43.1 } СН 
1.06.08 Eus dus "i 
чок оз + 
D 10 100 1,000 10,000 


Number of Fatalities (N) 


Figure 6: Criteria for Societal Risk (Ref. Risktec Essentials - An introduction to the quantitative assessment of risks 


associated with high hazard facilities, with adaptation). 


At the top of the curve is the unacceptable level (Е = 2.0E-04, for М = 50, and the Slope = - 
1), on or above which the risk is so great or the outcome so unacceptable that it must be 
reduced immediately. 

At the other extreme is the broadly acceptable level (Е = 2.0E-06, for М = 50, and the Slope 
7 -1), where the risk is so low that there is no further requirement to undertake additional 
risk reduction measures, i.e., the risk is, or has been made, so small that no further 
precaution is warranted. 

In between these two extremes, lies a wide range of tolerable risk levels to which the 
ALARP principle applies, i.e., the risk must be reduced to the lowest level practicable, 
bearing in mind the benefits flowing from its acceptance and taking account of the costs of 
any further reduction. 

7.6.3.2.b. Potential Loss of Life (PLL) 

The other main measure for Societal Risk is the annual fatality rate, where the frequency 
and number of fatalities are combined into a Potential Loss of Life (PLL), which is a 
convenient one-dimensional measure of the total number of expected fatalities. 

Potential Loss of Life (PLL) is simply the sum of the products of all f-N pairs, (i.e., Potential 
Loss of Life = ХЕМ [people/year]) 

PLL is well suited for comparing alternative solutions for the same facility is relatively easy 
to understand for non-risk specialists and must be calculated to be able to derive the cost- 
effectiveness of risk reduction options (Multiplying the annual PLL by the expected lifetime 
of a facility gives a Lifetime PLL by which the overall number of fatalities incurred by the 
facility, over its entire operational period, can be estimated), lifetime PLL is how risk 
reduction measures should be assessed by using Cost-Benefit Analysis. PLL should be 
presented as a measure to compare the relative degree of "safety", expressed as potential 
loss of life for different options or developments. This should be used in conjunction with 
IRPA levels. 
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7.6.3.3. Risk contours (LSIR) criteria for Land Use Planning (LUP) 
Risk contours are iso-risk contours plot represent the geographical variation of the risk for a 
hypothetical individual who is positioned at a particular location for 24 hours per day, 365 days 
per year. This is also known as Location-Specific Individual Risk (LSIR). 

Land use planning (LUP) criteria is a planning tool to advise on new developments, 
accommodations that are constructed near the existing facility boundary or for siting the 
facility in the vicinity of the existing occupied building area or master plan updates for existing 
assets. The purpose of defining LUP zones is to minimize risk to people around the hazardous 
facility by specifying how close certain types of facilities can be developed. For example, 
relatively low occupancy nonindustrial development such as warehouses...etc. can be allowed 
to be relatively close to the facility boundary whereas vulnerable populations, such as schools, 
hospitals ...etc. need to be further away from the facility. 

The recommended Individual Risk levels to be used, in respect to hazardous substances/sites, 
are including the risk contributions from all sources with the inner zone criteria of LSIR from 
10^ to 105, middle zone 10° to 109 and outer zone beyond 10° per year. Restrictions are 
placed on activities or structures within the various zones, as shown in the following Figure 7. 


Annual Individual Risk 


100 in a million 10ina million — 1 in a million 
(107 ) (10°) (109 ) 


Tm 


L wpe 


Risk |Мо other! Manufacturing 


Commercial All other uses 

source |land use| warehouses, open offices, low-density| including institutions, 
space (parkland, golf [residential high-density 
courses, etc.) residential, etc 


Figure 7: Allowable Land Uses 
(Ref. Major Industrial Accidents Council of Canada -MIACC's Risk Acceptability Criteria) 


Location Specific 
Individual Risk (LSIR) 


Zones Examples for types of Allowable Land Uses 


Table 2: Definition of Zones for Land Use Planning (LUP) 


Note 1, The LUP Above criteria shall be used in conjunction with the F-N curve, H2S zones and 
consequence-based approach for toxic hazards as applicable. 

Note 2, The LUP criteria shall be applied for new oil and gas facilities to be selected at safe distances 
as much as possible from areas with a different designation, whereas operating facilities and old 
facilities may be subjected to encroachments and outside activities, unfortunately, the responsible 
law for preventing such encroachments does not support the LUP criteria. 
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7.7. Risk Treatment 


After assigning priority to risks, risk treatment should be identified to determine suitable responses, 
so that the remaining risk falls within the acceptable level of exposure. 
Risk treatment should comply with legal requirements, as well as government and organizational 
policies. Therefore, decisions concerning whether risk treatment is required may be based on 
operational, technical, financial, legal, social, environmental or other criteria. Such criteria should 
reflect the organization's context, and depend on its internal policies, goals and objectives, as well as 
its stakeholders' needs. In this respect, a team approach is useful to help define the context properly 
and for well-targeted change management during risk treatment. 
Approaches for risk treatment strategies are detailed in Annex E - Risk Control Measures. 

8. Reporting Risks 
Fora new project, all risk assessment and associated risk reduction measures are usually documented 
in the respective HSE and Process Safety studies, ALARP demonstration report and Safety Case report. 
The Project Manager is the accountable and is responsible for the implementation of the risk 
reduction measures. The Risk Register and Action Plan (RRAP) (see Annex D - Risk Register and Action 
Plan Template) shall be used to record, track, closeout and follow up for all the identified risks. 
For operating sites, where risks are identified, risk assessments reports are developed. All the 
identified short term and long-term risk reduction measures shall be documented and tracked via the 
RRAP. For all the identified risk levels and risk reduction measures, based on the identified risk levels, 
the risk accountable shall be assigned for the implementation of the risk reduction measures. 
Management approval of the identified risk and its risk reduction measure shall be obtained as per 
the Corporate Risk Matrix. Risk is not considered to be mitigated unless all the risk reduction 
measures are implemented. 
From the risk assessment process, each COMPANY shall develop a Risk Register which details the 
main areas of risk associated with activities in all operating units (e.g., exploration, development, 
projects, operations), including normal and temporary activities (e.g., operation plant, warehouse, 
marine base, headquarter, drilling activity, seismic). 
The RRAP shall capture the most significant hazards (together with their consequences and 
probability of occurrence) which, if realized, have the potential to adversely affect the COMPANY with 
consequential negative impacts on its HSE performance and reputation. Those risks are typically 
screened as Level 1 (Red), Level 2 (Amber) and Level 3 (Yellow). 
The RRAP is owned by COMPANIES' managing director(s) while the custodian is the Risk Champion of 
relevant risk level. The RRAP is a live document and it shall be reviewed and updated frequently as 
identified in Annex H - Risk Management Review Committees. 


9. Risk Communication 

It is required that certain risk-related information be communicated to the workforce. There are 

three reasons why this is necessary: 

a. Members of the workforce are exposed to risk in their daily work lives. 

b. Some members of the workforce have key roles to play in the risk management process 
relating to the management of risk reduction measures (barriers). 

c. Intheir day-to-day activities, members of the workforce might interact with barriers (e.g., via 
maintenance processes which if performed incorrectly can defeat barriers). 

All members of the workforce need an understanding of: 


a. What existing risks are they exposed to? 
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b. How they are managed. 

c. Role of individuals in managing and maintaining barriers. 

d. Role of risk management measures. 

Not everyone needs the same level of understanding and information. Communication can be 

tailored as appropriate to other key stakeholders. Information that is shared can include: 

a. Key facility-level risks. 

b. Barriers to managing these risks (i.e., what, why and how they work). 

c. Risk management plans including corrective actions relating to barrier deficiencies (and risk 
reduction opportunities). 

d. Roles and responsibilities of individuals in managing and maintaining barriers. 

e. Risk process and what to do if they find barrier degradation. 

f. Whatactions they may be required to take in an emergency 

Level 1 (Red) risks shall be communicated to relevant ENTITY as part of the planning cycle to allow 

strategic management of risks and to prioritize resource allocation at the appropriate level. 

Annex H - Risk Management Review Committees provides a high-level structure for the Risk 

Management committees at a different level of risks where the risk shall be communicated. 


9.1. Signoff Authority 


The consultation and communication shall be through the Risk Register and action tracking 
process. The consultation process is carried out as part of risk assessment workshops with relevant 
stakeholders, wherein, all the identified risks from semi-quantitative studies and quantified 
studies, are captured, monitored and reported to the appropriate signoff authority and Executive 
Leadership Team. Reporting requirements, actions required and signoff authority levels for various 
risk levels are given in Annex G - Roles and Responsibilities. 


10. Monitor/Review the Risks 


All the identified risk and associated risk reduction measures once recorded in the risk register shall 
be reviewed periodically by associated stakeholders. A typical periodical review scheme is detailed in 
Annex H - Risk Management Review Committees. 


Each ENTITY is to conduct a Risk Review Meeting to discuss Level 1 risks received from their 
COMPANIES. 


Risk Management Steering Committee shall convene periodically to discuss the Level 1 risks escalated 
from relevant ENTITIES. 


The review should involve the following activities: 


Periodic review of identified risk levels/categories, which are not yet mitigated, or in process of 
mitigation to confirm the assumptions made during risk assessment is still valid and identified 
controls are functioning as intended. These activities should be carried out by the site team; 
Monitoring status of identified risk reduction measures to confirm the plan to manage and 
mitigate the risk is progressing. Where alternate options are identified during the review, the risk 
assessment shall be updated accordingly; and, 

Monitoring status of existing controls and any short-term actions in place until permanent 
mitigation measures are implemented. 
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11. Compliance Assurance 


ENTITIES shall conduct a compliance audit of this Standard at approximately three-year intervals; 
these audits will be in addition to COMPANIES’ HSE internal audits. 


The main audit deliverable is a formal and structured report for the attention of the Risk Management 
Steering Committee. 

12. Performance KPIs 
Key Performance Indicators (KPIs) for this Standard will be considered in the Process Safety Key 
Performance Indicators (KPIs) Guideline EGPC-PSM-GL-025. 

13. Deviation 
Deviation from any requirement of this Standard shall be approved in writing by the CEO of the 
relevant ENTITY, with the consultation of the relevant CEO Assistant for HSE. 


Each COMPANY belonging to any of the ENTITIES follows a risk assessment matrix different from 
the unified Corporate Risk Matrix, shall either move to the unified Corporate Risk Matrix or 
correlate their risk assessment matrix with the unified Corporate Risk Matrix. The correlation of the 
risk matrix is considered as a deviation. 
Awritten dispensation includes a rationale and detailed description of the alternative robust process 
that will be conducted. 
Approved dispensation shall not apply indefinitely and shall be are reviewed annually by the relevant 
CEO Assistant for HSE. 
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* Potential for multiple fatalities Onsite (or 
onset of life-threatening Health effects) 

* » 10 injuries or health effects, either 
permanent or requiring hospital treatment 
for more than 24 hours 

* Single or more than 1 Public Fatality 


* Future impact, e.g., unintended release, 
with widespread damage which remains in 
n "unsatisfactory" state for a period » 5 

years. 

* Discharge of contaminants » 100,000L in 
offshore and/or » 10,000L in sensitive 
areas _ 


21490435232) 


* Potential single fatality Onsite, acute ог 
chronic, actual or alleged. 


| * 10 or more injuries or health effects, 


either permanent or requiring hospital 
treatment for more than 24 hours. 
* Serious injury to the public 


* Future impact with extensive damage 
which can only be restored to a 
"satisfactory" /agreed state in a period of 
more than 1 and up to 5 years. 

* Discharge of contaminants 1,000 - 
10,000L to sensitive areas and/or 10,000 - 
100,000L in offshore 


| * Permanent disability(ies) 
| *30r more injuries or health effects, 


either permanent or requiring hospital 
treatment for more than 24 hours. 


* Future impact with extensive damage 
which can be restored to an equivalent 
capability in a period of around 1 year. 

* Discharge of contaminants 100 - 1,000L 
to sensitive areas and/or 1,000 to 10,000L 
in offshore 


* Lost Time Injury 

* Partial disability(ies) 

* Several non-permanent injuries or health 
impacts 


* Future impact with localized damage 
which can be restored to an equivalent 
capability in a period of months. 

* Discharge of contaminants 10 - 100L to 
sensitive areas and/or 100 to 1,000L in 
offshore 


| * Recordable injury or health effects from 
common source/event. 
| * Medical Treatment Case or Restricted 


Work Day Case 


* Future impact with immediate area 
damage which can be restored to an 
equivalent capability in a period of months. 
* Discharge of contaminants « 10L to 
sensitive areas and/or 100 - 10L in offshore 


* First aid 
* Over-exposures causing noticeable 
irritation but no actual health effects 


* Future impact with immediate area 
damage which can be restored to an 
equivalent capability in a period of days or 
weeks. 

* Discharge of contaminants with no 
impact to sensitive areas and/or « 10L in 
offshore 
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Table 4: Business Impact Levels 


Severity Financial Non-Financial 
Level Financial Impact on Asset, Reputation, Media, Key Stakeholder Reaction and 
Projects and Production Regulatory Enforcement 
* Disastrous damage . International concern 
e Revamping necessary to * Extensive negative attention in international media 
g rasumadie * Long term national outrage 
А А | operations/business (> 50% * Substantial Long-term damage to relationships with key 
3 stakeholders 
е of Annual ө vw 
a Production/Business/Profit * Action by a government resulting in a complete and 
Plan) permanent loss of license to operate 
* Potentially severe impact on access to new areas 
* International public attention 
* Extensive damage * National & global media coverage 
g * Major change to resume * Medium-term national outrage 
5 B operations / business (> 35% | * Moderate long term Damage to relationships with key 
8 - 50% of Annual stakeholders 
Е Production/Business/Profit * Action by a government resulting in partial and/or 
Plan) temporary loss of license to operate 
+ Substantial regulatory enforcement action by regulators 
* Major damage * National public concern 
* Long time change to * Extensive negative attention in national media 
z resume operations / * Long term local outrage 
© C | business (> 20% - 35% ої * Partial Damage to relationships with key stakeholders 
d Annual * Moderate regulatory enforcement action by regulators 
Production/Business/Profit * Potentially restrictive measures and/or impact on grant 
Plan) of licences 
* Local damage * Regional public concern 
* The unit has been * Negative attention national media 
@ repaired/replaced to resume | * Limited local outrage 
a D | operations/business (> 596 - | є Limited Damage to relationships with local stakeholders 
5 1% of Annual * Limited regulatory enforcement action by regulators. 
Production/Business/Profit * Possibly negative stance of local government 
Plan) - 
* Minor damage . Some local public concern/media coverage 
» Possible shortdisruption af * Limited damage to relationships with local stakeholders 
= E | operations / business (> 1% - * Government reaction to non-compliance with legal and 
5 0.1% of Annual Production / regulatory requirements that do not result in 
Business / Profit Plan) consequences beyond simply restoring regulatory 
compliance 
* Slight damage * No public concern/media coverage 
= * Disruption to operations / | • Negligible damage to relationships with local 
5 Е | business (< 0.1% of Annual stakeholders 
[3 Production / Business / * Non-compliance with regulatory requirements that do 
Profit Plan) not generate any government reaction 
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Table 5: Likelihood Levels 


Likelihood of Risk Event 
Rare Unlikely Possible Likely Very Likely | Almost Certain 
1 2 3 4 5 6 


Qualitative criteria 


Event has 
Event has 
aes occurred more 
a Asimilar event 1 than several The event is 
А similar event МЕТ least once їп " : й 
has occurred | A similar event T times in likely to occur 
has not yet и ENTITIES or is 5 
somewhere іп | has occurred Е ENTITIES ог several times 
occurred й likely to occur Е мера 
А our industry at least Once б has occurred | in the lifetime 
somewhere in й А within the бг 
ourfndus but not in in ENTITIES lifetime of 10 | 9" or twice of the 
ту ENTITIES а” in the lifetime COMPANY 
similar of the 
COMPANIES 
COMPANY 


Quantitative criteria - Frequency (Occurrence/year) 
| 210°to<10° | 2105to«10* | 210*to<10° | 210°to<10? | 210?to<10" | >101ю<1 
Greater than 1 | Greater than 1 | Greater than 1 | Greater than 1 | Greater than 1 | Greater than 1 
in a million in 100,000 in 10,000 in 1,000 in 100 in 10 


Where data exists to provide a quantitative estimate of likelihood, the use of the frequency and 
probability criteria is preferred. If not, the qualitative criteria can be used. 
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Risk Assessment Matrix 


Likelihood Rare Unlikely Possible Likely Very Likely | Almost Certain 


Severity 


Disastrous 


Catastrophic 


Major 


Serious 


Minor E 


5Е 6E 


Notable F SF 6F 


Plotting on a single risk matrix provides a visual representation of the assessment of risk. 
While risk assessment supports the prioritisation of risk management measures and resources, the 
position risk is plotted on the matrix is not to be interpreted as prioritising the allocation of resources for 
the management of one risk over another. Each risk is different, has specific consequences, and requires 
the appropriate consideration of risk management measures. 

Risk assessment involves a range of methodologies and qualitative judgments апа is, Бу its nature, inexact. 
It often relies on historic data, which may not accurately predict the true likelihood of a future scenario. 
Risks are typically represented by hypothetical scenarios that may not have ever occurred. 

When positioning a risk event on the risk matrix, it is not usually possible to determine precisely the impact 
and likelihood of the risk event. The position on the risk matrix reflects this uncertainty and is only 
approximate. 
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Annex C - Qualitative Risk Assessment Workflow 


HAZARD Identification Event, 
Scenario or activity being 


assessed (HAZID/HAZOP) 


Identify all potential consequences with 


respect to Health & Safety, Environment, 
Reputation, Financial and Legal domains. 


Estimate the severity levels of all identified 
consequences based on technical judgement. 


Estimate the HSE Likelihood/Frequency for all 
estimated consequence severities based on 
technical judgement. 


Map the estimated consequence severity levels 
and their respective likelihood levels in the risk 
matrix for obtaining the risk rank. 


у 
Highest Risk Rank mapped corresponding to 
the pair of consequence severity level and 
likelihood level should be selected for assigning 
the Risk Level to the identified hazard. 


Assign Risk Level/ Category as per the mapping 
done in the Risk Matrix 


у 


Green 


Low 
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Annex E - Risk Control Measures 


In common with governments and societies, companies recognise it is not always possible to eliminate or 
avoid risk entirely, but they are expected to take reasonable measures to reduce and/or mitigate risk to a 
level deemed acceptable. 

To enjoy the benefits of road transport, for example, people generally accept a level of risk while expecting 
governments to improve measures to reduce accidents and pollution. Likewise, when a COMPANY is 
establishing controls to manage operating risk, acceptance judgements and decisions regarding any 
“residual risk” will need to be made at a level in the organisation commensurate with the risk. To ensure 
consistency, risk management is commonly supported by criteria and approval processes. 

There are different response action categories, which correspond to key general approaches for risk 
treatment. These response action categories are: 


1 
2. 


Tolerate, in case the level of risk is below the Risk Appetite. 

Treat, aiming at constraining risks to an acceptable level by removing the risk source and/or reducing 
likelihood or effects. 

Terminate, in case the risk is only treatable, or reducible to acceptable levels, by terminating the activity, 
especially at a project level. 

Transfer, reducing the exposure of the organization leaving the risk to another organization considered 
more capable of effectively managing such risks. 

Take the opportunity, which is not an alternative whenever tolerating, transferring or treating a risk. 


TOLERATE 

The exposure may be tolerable without any further action being taken or even if not tolerable, the ability 

to do anything may be limited (or the cost of taking any action may be disproportionate to the potential 

benefit). In these cases, the response may be to tolerate the existing level of risk. This option, of course, 

may be supplemented by contingency planning for handling the impact that will arise if the risk results 

in actual events. The actions related to this kind of approach are: 

* Risk acceptance: no action is taken to affect likelihood or impact. 

* Retaining: after risks have been changed or shared, there will be residual risks that are retained. The 
risk can be retained by informed decision: acceptance of the burden of loss, or benefit of gain, from 
a particular risk, including the acceptance of risks that have not been identified, Risks can also be 
retained by default, e.g., when there is a failure to identify or appropriately share or otherwise treat 
risks. Moreover, after opportunities have been changed or shared, there may be residual 
Opportunities that are retained without any specific immediate action being required (retaining the 
residual opportunity). 


TREAT 

Usually, the majority of risks are addressed this way. The purpose of treatment is that whilst continuing 
with the activity that gives rise to the risk, specific action is taken to constrain a risk to an acceptable 
level. Generally, Actions related to Risk Treat depend on two approaches: 

* Removing: removing the risk source. 

* Riskreduction, actions are taken for: 

o Changing likelihood (mitigating actions): action taken to reduce the likelihood of negative 
outcomes and/or to increase opportunity, to get good outcomes. 

о Changing the consequences (contingency actions): actions taken to reduce the extent of losses 
and/or to increase the extent of gains regarding related opportunities. These include setting up 
pre-event measures and post-event responses such as continuity plans. 

Risk reduction measures include preventative or control measures (likelihood reducing) and mitigation 
or recovery measures (consequence severity reducing). If the risk is Green, no action may be required. 
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Yellow, Amber and Red risks require formulating a remedial action plan, which should include agreed 
actions, responsible person(s), and completion date(s). In formulating these plans, it is important to 
realize that risk management measures include organizational and system measures, such as: 


Personnel training and qualification procedures; 

Change control and documentation procedures; 

Quality assurance, operation, maintenance and inspection procedures; and, 

Follow up that includes regular updates for progress to ensure actions are closed as per the remedial 
plan. 


From the risk management perspective, the first kind of action (changing likelihood) should be preferred 
as it prevents the risk rather than waiting for the consequences. 

Note. Risk treatment options are not necessarily mutually exclusive, or appropriate in all circumstances. 
Often a risk response may combine two or more of these Strategies to achieve the desired results. An 
organization can normally benefit from adopting a combination of treatment options. Implementation 
of the risk responses selected involves developing a risk plan, outlining the management processes that 
will be used to manage risk or opportunity to a level set up by the organization's ‘risk appetite’ and 
culture. Risk treatment involves selecting one or more options for modifying risks and implementing those 
options. Once implemented, treatments provide or modify controls: any action taken to address a risk 
forms part of what is known as "internal control", 


3. TERMINATE 
Some risks will only be treatable, or reducible to acceptable levels, by terminating the activity. It can be 
particularly important in project management. 


Avoiding: action is taken to stop the activities giving rise to risk or avoiding the risk by not starting 
such activities (where this option can be practised). Risk avoidance cannot occur properly if 
individuals or organizations are unnecessarily risk-averse. Inappropriate risk avoidance may either 
increase the significance of other risks or lead to the loss of opportunities. 


4. TRANSFER 
For some risks, the best response may be to transfer them. The transfer of risks may be considered to 
either reduce the exposure of the organization or because another organization is judged more capable 
of effectively managing such risks. It is worth noting that some risks are not (fully) transferable: in 
particular, reputational risk can hardly be transferred. A relationship with the third party to which the 
risk is transferred needs to be carefully managed to ensure a successful transfer. Actions related to this 
kind of approach are as follows: 


Transferring the risk or a portion of it. 

Sharing: another party or parties bearing or sharing some part of the risk outcomes, usually by 
providing additional capabilities or resources that increase the likelihood of opportunities, or the 
extent of gains from them. Sharing positive outcomes can involve sharing some of the costs involved 
in acquiring them. Sharing arrangements can often introduce new risks, in that the other party or 
parties may not effectively deliver the required capabilities or resources. 


5. TAKE THE OPPORTUNITY 
This option is not an alternative to those above; rather it is an option that should be considered 
whenever tolerating, transferring or treating a risk. 
This can occur in two ways: 


The first is when an opportunity arises to exploit positive impact whether action is taken to mitigate 
threats at the same time. 
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* The second is when circumstances arise which, whilst not generating threats, offer positive 
opportunities. 
Hierarchy of Controls 
As a general recommended strategy for risk control, Figure 8 illustrates the Hierarchy of Controls for risk 
reduction in terms of their comparative effectiveness. 
More 
effective 
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Figure 8: Risk Hierarchy of Control (HoC) 


Notes; Selecting the most appropriate risk treatment option(s) involves balancing the potential benefits derived in 
relation to the achievement of the objectives against costs, effort or disadvantages of implementation. 
Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances. 
Risk treatment can also introduce new risks that need to be managed. 
Reliability of Control Measures: 
Controls should be assessed according to their reliability based on the following guide shown in Table 6. 
Reliance upon administrative or procedural controls alone may be appropriate for interim short-term 
interventions, but should not form the basis for longer-term risk reduction plans. 
Increa 
reliability 


Control types Examples 


| Preventing a shore tank from overflowing during a discharge operation 

_ from a ship by installing a tank that is larger than the ship's capacity. 
Preventing a shore tank from overflowing during a discharge operation 

_ from a ship by installing a high-level shutdown system. 

Administrative or | 

Procedural 

controls 


Passive measures 


| Active measures 


Preventing a shore tank from overflowing during a discharge operation | | 
from a ship by relying on operator monitoring and control. 


Table 6: Control Types 
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Annex F - Risk Assessment Fundamentals 


This appendix provides some basic guidance on risk assessment including: 
а. When ап assessment might be required. 
b. What are the minimum expectations? 
с. Basic steps that comprise an assessment and common pitfalls. 


This appendix is intended to support the risk assessment step of the risk process. If assessing risk and no 
alternative definitive process is considered appropriate then the basic steps described here can be used as 
a guide. 
1. When are risk assessments done: 
Risk assessments are done for many reasons, including: 
Regulatory requirements. 
Holding Companies’ requirements (e.g., in connection with a MOC). 
Supporting divestment and acquisition decisions. 
Identify if the risk is sufficiently managed or if further reductions are necessary. 
Supporting decisions on project selection and design options to support ISD. 
Supporting prioritization of risk reduction options. 
Supporting decisions in design or operations, 
Reviewing changes to operations. 
Reviewing risks associated with the delivery of activities and consider what, if any, changes in the 
plan are needed. 
j. Supporting deviation/dispensation requests to review and consider what, if any, additional 
mitigations are needed to support the deviation/dispensation. 
k. Site selection. 
In general, the purpose of risk assessments is to stop and to think about potential risk scenarios before 
proceeding with a business or operational decision. 
2. Key features of a risk assessment 
In the context of the risk management process (i.e., when assessing risk for inclusion in a risk register) the 
following can be considered attributes of a well-conducted risk assessment: 
a. Documentation: Risk assessments are documented in a structured and systematic way. 
b. Purpose: The purpose of the assessment is clearly understood by those involved in the risk 
assessment. 
c. Team composition: A risk assessment involves: 
* More than one person. 
* Atleast one person is familiar with the process or activity. 
• At least one person who is independent enough from the decision-making role to adequately 
challenge the design or operation. 
d. Appropriate input: The inputs to a risk assessment include relevant: 
Basis of design 
Drawings and diagrams. 
Procedures. 
Consequence analysis (if available). 
Historical data. 
Other data to support the assessment. 
e. Methodology: Different methodologies are used depending on the purpose of the assessment. 
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3. Steps іп a risk assessment 
Risk assessments typically comprise the following steps: 
a. Hazard identification: Identify the hazards (i.e., energy sources) and what could go wrong if the 
hazards are not controlled (e.g., hydrocarbon released, vessel listing or well kick to the surface). 
b. Scenario development: Consider the causes that could result in loss of control of the hazards. 
The taxonomy or bow-ties might be helpful in this step. 
с. Consequence assessment (using the 6x6 risk matrix to assign an impact level). 
This might be supported by a formal consequence analysis (e.g., fire analysis) or based on the experience 
and judgement of the assessment team. 
d. Likelihood assessment (using the 6x6 risk matrix). 
This step may be supported by relevant incident or historical data and so be semi-quantified or quantified 
(e.g., FTA or ETA) or be based on the judgement of the assessment team. 
e. Mapping the output to the 6x6 risk matrix. 
f. Identify risk reduction measures. 
The first step in identifying risk reduction measures is to apply ISD principles to the activity being assessed 
to either eliminate the hazard or change the way that activity will be performed. If this is not possible or 
impracticable, then barriers are identified. 
в. Consider temporary risk reduction measures, if needed, to manage the risk while longer-term 
solutions are developed. 
For example, if assessing a barrier failure that requires repair or replacement 
h. Consider if any further risk reduction is needed. This will depend on: 
• Any specific requirements of the study methodology (e.g., HAZOP). 
* Whether regulatory and company requirements are being met. 
* Support of leadership based on the risk level. 
4. Risk reduction measures (barriers) 
Risk reduction measures (barriers) can be targeted at different aspects of the hazard and risk event. They 
have different effects on the likelihood or consequences depending on what they are intended to do. 
Barriers can be aimed at one of four ways of reducing the risk: 
a. Barriers that can prevent the cause from progressing to an event (e.g., re-route the well trajectory 
to avoid a shallow gas zone). 
b. Barriers that can prevent the event from happening (e.g., change the casing or cement design to 
ensure a strong section extends fully through the shallow gas zone). 
c. Barriers that can mitigate the consequence (e.g., ignition control system to prevent a fire or 
explosion from starting). 
d. Barriers that can mitigate the impact (e.g., alarms and evacuation systems to remove people from 
the vicinity as quickly as possible). 
Barriers that prevent the cause or event reduce the likelihood. Barriers that mitigate the consequence or 
impact reduce the impact. Generally, prevention barriers are considered to be preferred and can be more 
effective than mitigation barriers. 
5. Post-processing of the risk assessment 
After a risk assessment has been completed there are several steps to follow: 
а. Consider if the risk assessment has identified any new or changed risks that might either be missing 
or need to be updated in the risk register. 
b. Review the risk ranking from the risk assessment against the risk ranking of similar events in the risk 
register for consistency. If inconsistencies are identified one of the following is done: 
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* Review and revise the risk assessment 
* Update the risk ranking in the risk register 


6. Recommendations from risk assessments 
If a risk assessment identifies recommendations to improve the management of the risk then: 


a. 


Recommendations are documented and followed up using the processes established by the 
segment or operating function. 

Recommendations should be able to deliver a demonstrable reduction in risk 

Recommendations should be Specific, Measurable, Accountable, Realistic and Time-bound (i.e., 
‘SMART') and not duplicate existing actions. 

Recommendations can be included in existing risk management plans in the risk register, if 
applicable. 


7. Pitfalls in risk assessments 
Some potential pitfalls in risk assessments include: 


a. 


Team members who are either: 

• Not familiar with the process or activity being assessed. 

* Driving an agenda that is inconsistent with the goals of the assessment. 

Too few or too narrow a range of team members can lead to risk consequences or likelihoods being 
under or overestimated if the team has no direct experience or knowledge of more significant events 
occurring. 

Having too small or too big a team can result in insufficient support, a lack of full understanding of 
the risk, or the assessment getting bogged down with comments. 

Using the assessment to justify an answer that has already been determined leading to not 
adequately reviewing the hazards, scenarios, and risks. 

Failing to follow up on recommendations resulting in a false sense that risks are being managed and 
which can then create a backlog of actions. 

Making recommendations that will not achieve demonstrable risk reduction because it is perceived 
to that is a necessary part of the process to make some recommendations. 

Too narrow a scope can lead to the team failing to identify hazards that originate from a different 
area or activity that might result іп a consequence for the area being considered. 

Using “cookie-cutter” techniques that assume one process is similar enough to another to avoid 
completing a full assessment. 

The overthinking likelihood and consequence analysis, the purpose of which is primarily to set 
priorities and judge where to apply funds and resources. 

Not doing a risk assessment in the first place. 

Not confirming assumptions concerning barriers that might give risk reduction value when the 
barrier is not appropriate for the risk. 
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Annex G - Roles and Responsibilities 


1. Risk Champion: 


A "Risk Champion" shall be assigned and held responsible for the following: 


Energizing and facilitating the risk management activities. 

Overall management and custodian of the risk register and quality assurance of the data contained 
therein. 

Providing information as needed on the risk management process promptly to inform decision 
making. 

Providing training in the risk management process, including how to populate and maintain risk 
events in the risk register and produce reports, how to clearly and adequately describe risk events, 
how to assess risks and how to create effective risk reduction measures. 

Facilitating risk workshops. 


2. Risk Accountable: 


A “Risk Accountable” shall be assigned to each risk event with accountability to manage it, typically, they 
are responsible for: 


Describing the risk event in the risk register. 

Assessment of the risk event so that its priority for action can be understood. 

Developing any additional risk reduction measures, where needed, and seeking resources to 
implement those measures. 

Monitoring the status of the risk 

Updating the risk register for that risk. 

Liaise with the Risk Champion to ensure timely closure of the risk 

Identifying the Action Owner 

Follow-up with the action owners (Updating, Closing, etc.....) 


3. Action Owner: 


Assigned by risk accountable, typically they are responsible for: 


Implementing the action plan or their assigned part of it. 

Achieving the deliverables within the agreed timeline. 

Reporting progress to the risk accountable. 

Advising the risk accountable as soon as possible, if the action plans or their assigned part of it may 
not be met, to facilitate effective intervention. 
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Annex H - Risk Management Review Committees 


Below is the recommended high-level governance structure for Risk Management Committees at different 
Risk Levels: 


HSE Risk Management 
Stecring Committee 
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Figure 9: Typical Organization for Strategic Level Risk Management 
„=== - -------- 4----- ----------- E 
Managing 
(s) of 
Company A 
| Risk Owner: Level 1 Risks | 


Level 3 Risks Eo] evel 3 Risks ГТУ | 
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(Monthly) (Monthly) (Monthly) (Monthly) 


Figure 10: Typical Organization for Tactical/Operational Level Risk Management 
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Table 7: Recommended Risk Management Meeting Frequency 


Level Frequency Who Shall Attend Discussion/Outcomes 
HSE Risk Management - Discuss the Level 1 risks escalated from 
Steering Committee relevant Holding Companies. 
involving: - Discuss the potential for common initiative(s) 
А - CEO of ENTITIES across the sector to tackle common risks 
Semi-Annually й й 
1 - CEO Assistant for HSE - Suggest a high-level recommendation to be 
(ENTITIES Level] й 
- Level 1 Risk Champion cascaded across the sector 
(Certified Risk Officer) - Review the risk profile across all sectors and 
- Other nominated by the | for all segments 
Steering Committee 
Each ENTITY's Risk - Discuss Level 1 risks received from 
Management Committee | COMPANIES. 
involving: - Monitoring status of existing controls and any 
- CEO of ENTITY short-term actions in place. 
- CEO Assistants for (HSE, | - Discuss the potential for common initiative(s) 
2 Quarterly Operations, Projects, across the COMPANIES to tackle common risks. 
[ENTITY Level] Finance ...etc.) - Suggest a high-level recommendation to be 
- Level 1 Risk Champion | cascaded across the COMPANIES. 
(Certified Risk Officer) - Review the risk profile of the Holding Company 
- Other nominated by the | across all segments. 
Risk Management 
Committee 
Chairman, Managing - Review response actions Plans. 
Director(s), Level 1 Risk - Assess the effectiveness of mitigation plans. 
3 Quarterly Champion, Line - Review HSE & Business Level 1 risk registers 
[COMPANY Level] | Managers and Level 2 - Discussion on Identified risk ranking. 
Risk Champions (if - Agree on risk mitigation measures. 
invited). _- Actions Deferrals. 
ee least bi-monthly - Assess/reassess risks. 
and might be i і Й ё 
Level 2 Risk Champions, - Review response actions Plans. 
conducted more 3 ә ир 
4 frequenitly'based Line and Department - Assess the effectiveness of mitigation plans. 
8 Managers & Project / - Review & Updated HSE & Business Level 2 risk 
on the risk status " 
changes Plant managers registers 
р - Acti " | 
[COMPANY Level] ction/Risk Closure and deferral 
isk Champl 
Level Rsk Champions, - Assess/reassess Risks 
Project or Plant И . 
Monthly, a - Review response actions Plans. 
ў y Manager, Risk 4 
Operational Risk " - Assess the effectiveness of Response plans. 
5 к accountable, Action ч Á А 
Review ; - Review & Updated HSE & Business Level 3 risk 
Owners, Level 2 Risk і 
[COMPANY Level] F б registers 
Champion & Project / г : 
М - Review actions progress and due dates 
Operation Team 
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Annex | - Signoff requirements for various residual risk levels 


Risk Level 


Action 


Signoff Authority 


Immediate action is required to reduce the risk to tolerable 
levels and ALARP must be demonstrated for the control actions 
taken, 

A hierarchy of control shall be adopted while selecting risk 
reduction measures. Engineering controls shall be the 
preferred risk reduction measures in the hierarchy. 
Immediate site management notification and action required; 
site management shall escalate the finding to а higher level of 
management immediately. 

Short-term risk reduction measures that will reduce the risk 
level to ‘Amber’ or less must be put in place immediately. 
Additional short term risk reduction measures that will reduce 
the risk level to ‘Amber’ or less must be put in place as soon as 
practicable. 

Permanent (long-term measures) to reduce the risk level to 
‘Amber’ or less must be implemented within a specified time. 


Chairman / Managing 
Director(s) / VP's / 


CEO / Key Officers 
(Consultation with 
appropriate SME 


required) 


Site management notification and action required. 

A hierarchy of control shall be adopted while selecting risk 
reduction measures. Engineering controls shall be the 
preferred risk reduction measures in the hierarchy. 

All attempts should be made to reduce the risk level to ‘Yellow’ 
or less. 

Risk reduction measures to reduce the risk level to ‘Yellow’ or 
less must be implemented within a specified time. 


Senior Manager / Line 


Manager 
ie, Operations GM, 
Projects GM, Drilling 


GM, Financial GM, HSE 
GM ..etc. 


If practical, reduce the risk to a risk level ‘Green’. 
Demonstrate ALARP and ensure controls are in place and 
effective to maintain a risk level within ALARP and verified 
periodically. 

Permanent risk reduction measures (if required) must be 
implemented within a specified time approved by site 
management. 


Site Managers / 
Project Managers / 
Function GM 
1.е., District GM, 
Refinery Unit GM ...etc. 


Monitor to ensure procedures and controls to maintain a risk 
level is effective 


Area Authority / 
Department Managers 
i.e., OIM, Production 
Manager, Maintenance 
Manager ...etc. 


For site/activity-based risk assessments such as risk assessments as part of PTW/CoW processes (Task Risk 
Assessments, HITRA, Job Safety Analysis, etc.), risk assessment as part of preventive maintenance deferral 
(temporary defeat), override management etc., signoff requirements shall be as per signoff authority 

levels established in those processes. 
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